# OSS Supply Chain Risk Report - PyPI, npm, OSV and Docker Hub (`changeable_peddler/oss-supply-chain-risk-report`) Actor Audit Python packages, npm packages, Docker images, lockfiles, SBOMs, and Dockerfiles for vulnerability, maintenance, freshness, popularity, and metadata risk signals. - **URL**: https://apify.com/changeable\_peddler/oss-supply-chain-risk-report.md - **Developed by:** [Sean](https://apify.com/changeable_peddler) (community) - **Categories:** Developer tools, Business, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing $1,250.00 / 1,000 oss risk reports This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## OSS Supply Chain Risk Report - PyPI, npm, OSV and Docker Hub Audit Python packages, npm packages, Docker images, lockfiles, SBOMs, and Dockerfiles for vulnerability, maintenance, freshness, popularity, and metadata risk signals. Use this Actor as an Apify API for OSS supply-chain risk, SBOM vulnerability review, Python package checks, npm lockfile checks, and Docker image risk triage. Inspired by Printing Press nvd, pypi, and docker-hub: public package metadata, vulnerability signals, lockfile/SBOM inputs, and container freshness. ### Use cases - Check `requirements.txt` and pinned PyPI versions before vendor security review. - Extract npm package-lock dependencies and identify vulnerable package versions through OSV data. - Parse Dockerfile `FROM` images and audit Docker Hub freshness and metadata. - Turn CycloneDX or SPDX-like SBOM package URLs into structured risk rows. - Create dependency triage datasets for procurement, security questionnaires, and due-diligence workflows. ### Search-friendly workflows - SBOM vulnerability API for Apify users. - Docker image risk checker for vendor review. - PyPI and npm dependency risk report for security teams. - Open-source package due-diligence workflow for procurement. ### Related suite This Actor is part of the Security Risk Intelligence Suite: - [OSS Supply Chain Risk Report](https://apify.com/changeable_peddler/oss-supply-chain-risk-report) for package, lockfile, SBOM, and Docker image risk. - [SEC Red Flag Monitor](https://apify.com/changeable_peddler/sec-red-flag-monitor) for public-company filing risk. - [Startup Funding Signal Report](https://apify.com/changeable_peddler/startup-funding-signal-report) for startup funding and traction signals. Use the three together to build repeatable due-diligence, procurement, and security-review workflows from public data. Public examples and tutorials: https://github.com/shamusj-create/security-risk-intelligence-apify Suite positioning: see `../docs/suites/SECURITY_RISK_INTELLIGENCE_SUITE.md`. ### Pricing Recommended pay-per-event pricing: - Event: `oss-risk-report` - Price: `$1.25` - Unit: one bounded oss risk report The Actor charges before making public-data requests so Apify spending limits can stop work cleanly. ### Example Input ```json { "pypiPackages": [ "requests", "django" ], "pypiPackageVersions": [ "requests==2.31.0" ], "requirementsText": "", "dockerImages": [ "library/redis", "nginx" ], "dockerfileText": "", "packageLockJson": {}, "sbomJson": {}, "includeNvdKeywordSearch": true, "nvdLookbackDays": 365, "concurrency": 1 } ```` ### Output Each dataset row includes a status, score, confidence, summary, recommendations, highlights, disambiguation details, metrics, source payloads, and timestamp. This Actor uses public/read-only data sources. SEC-backed requests require `secContactEmail` and include it in the SEC fair-access User-Agent. The included `research@example.com` smoke-test default is only for local examples; use a real contact email for production runs. # Actor input Schema ## `pypiPackages` (type: `array`): Python packages to audit with PyPI JSON and OSV vulnerability data. ## `pypiPackageVersions` (type: `array`): Exact package versions to audit, for example requests==2.31.0. Exact versions let OSV answer whether the installed version is affected. ## `requirementsText` (type: `string`): Optional requirements.txt contents. Exact == pins are checked as versioned components; unpinned packages are checked against latest metadata. ## `dockerImages` (type: `array`): Docker Hub repositories to audit. Use namespace/name, or official image name such as nginx. ## `dockerfileText` (type: `string`): Optional Dockerfile contents. FROM image references are extracted and audited as Docker Hub components. ## `packageLockJson` (type: `object`): Optional npm package-lock.json object. Package names and versions are extracted and checked through npm registry metadata and OSV. ## `sbomJson` (type: `object`): Optional CycloneDX or SPDX-like SBOM JSON. PyPI and Docker package URLs are extracted when present. ## `includeNvdKeywordSearch` (type: `boolean`): Add a bounded NVD keyword search for recent CVE mentions related to each package or image name. ## `nvdLookbackDays` (type: `integer`): How far back to search NVD CVEs by keyword. ## `concurrency` (type: `integer`): Number of package/image audits to run in parallel. ## Actor input object example ```json { "pypiPackages": [ "requests", "django" ], "pypiPackageVersions": [ "requests==2.31.0" ], "requirementsText": "", "dockerImages": [ "library/redis", "nginx" ], "dockerfileText": "", "packageLockJson": {}, "sbomJson": {}, "includeNvdKeywordSearch": true, "nvdLookbackDays": 365, "concurrency": 1 } ``` # Actor output Schema ## `results` (type: `string`): Structured report rows. ## `runSummary` (type: `string`): Counts for processed inputs, API errors, skipped budget-limited items, and charged events. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("changeable_peddler/oss-supply-chain-risk-report").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("changeable_peddler/oss-supply-chain-risk-report").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call changeable_peddler/oss-supply-chain-risk-report --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=changeable_peddler/oss-supply-chain-risk-report", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "OSS Supply Chain Risk Report - PyPI, npm, OSV and Docker Hub", "description": "Audit Python packages, npm packages, Docker images, lockfiles, SBOMs, and Dockerfiles for vulnerability, maintenance, freshness, popularity, and metadata risk signals.", "version": "0.0", "x-build-id": "BMdJMZxk6OWp5C2Dl" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/changeable_peddler~oss-supply-chain-risk-report/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-changeable_peddler-oss-supply-chain-risk-report", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/changeable_peddler~oss-supply-chain-risk-report/runs": { "post": { "operationId": "runs-sync-changeable_peddler-oss-supply-chain-risk-report", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/changeable_peddler~oss-supply-chain-risk-report/run-sync": { "post": { "operationId": "run-sync-changeable_peddler-oss-supply-chain-risk-report", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "pypiPackages": { "title": "PyPI packages", "minItems": 0, "maxItems": 20, "type": "array", "description": "Python packages to audit with PyPI JSON and OSV vulnerability data.", "items": { "type": "string" }, "default": [ "requests", "django" ] }, "pypiPackageVersions": { "title": "PyPI package versions", "minItems": 0, "maxItems": 50, "type": "array", "description": "Exact package versions to audit, for example requests==2.31.0. Exact versions let OSV answer whether the installed version is affected.", "items": { "type": "string" }, "default": [ "requests==2.31.0" ] }, "requirementsText": { "title": "requirements.txt", "type": "string", "description": "Optional requirements.txt contents. Exact == pins are checked as versioned components; unpinned packages are checked against latest metadata.", "default": "" }, "dockerImages": { "title": "Docker images", "minItems": 0, "maxItems": 20, "type": "array", "description": "Docker Hub repositories to audit. Use namespace/name, or official image name such as nginx.", "items": { "type": "string" }, "default": [ "library/redis", "nginx" ] }, "dockerfileText": { "title": "Dockerfile", "type": "string", "description": "Optional Dockerfile contents. FROM image references are extracted and audited as Docker Hub components.", "default": "" }, "packageLockJson": { "title": "package-lock.json", "type": "object", "description": "Optional npm package-lock.json object. Package names and versions are extracted and checked through npm registry metadata and OSV.", "default": {} }, "sbomJson": { "title": "SBOM JSON", "type": "object", "description": "Optional CycloneDX or SPDX-like SBOM JSON. PyPI and Docker package URLs are extracted when present.", "default": {} }, "includeNvdKeywordSearch": { "title": "Include NVD keyword search", "type": "boolean", "description": "Add a bounded NVD keyword search for recent CVE mentions related to each package or image name.", "default": true }, "nvdLookbackDays": { "title": "NVD lookback days", "minimum": 30, "maximum": 730, "type": "integer", "description": "How far back to search NVD CVEs by keyword.", "default": 365 }, "concurrency": { "title": "Concurrency", "minimum": 1, "maximum": 3, "type": "integer", "description": "Number of package/image audits to run in parallel.", "default": 1 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```